For Puppet Nginx deployement (that is using Nginx as a front-end
load-balancers to puppetmasters), I had to create the following two
patches, to match Apache behaviour:
* The first patch allows:
+ a new variant of ssl_client_verify: optional. In this mode, if the
client sends a certificate it is verified, but if the client doesn't
send a certificate, the connection is authorized too.
+ a new variable: $ssl_client_verify which contains, either NONE,
SUCCESS or FAILURE depending on the verification status. It can be used
to send information to the upstream about the client verification.
* The second patch adds CRL support to the client certificate
Nginx then verifies the client certificate hasn't been revoked in the
given CRL before allowing the connection to proceed.